"Greg Donald" <destiney@xxxxxxxxx> wrote in message news:ea9da26c04120712282c5fc587@xxxxxxxxxxxxxxxxx > The other day a post came across one of those mailing lists discussing > PHP security. One of the posters was describing how insecure PHP's > file upload functionality is and went on to explain a simple method of > attaching exploit code to the end of a jpeg or other image format, > then proceeding in uploading the image to the target site that > accepted image uploads. The code would be executed as PHP in spite of > the file type detection. Chris already gave a good response to all this, but I am curious myself - can this mystery antagonist provide an example exploit? What he is suggesting seems impossible, unless for some strange reason you have set Apache to execute .jpg files at PHP code. In which case the security hole is the admin who set things up like that, not PHP! Can you also provide a link to the relevant message in the mailing list archive? I would like to read this myself. -Josh -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
